POL Information Systems Access Policy. History: First issued: November 5, Revised: April 5, Last revised: June 18, 2014

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "POL 08.00.02 Information Systems Access Policy. History: First issued: November 5, 2001. Revised: April 5, 2010. Last revised: June 18, 2014"

Transcription

1 POL Information Systems Access Policy Authority: History: First issued: November 5, Revised: April 5, Last revised: June 18, 2014 Related Policies: NC General Statute Accessing computers Additional References: North Carolina General Statute Statewide Security Standards Office of the State Chief Information Officer Statewide Information Security Manual Contact Information: Associate Vice Chancellor for Information Technology and CIO, ( ) 1. SCOPE 1.1 This policy is the basis for operations and procedures to be followed by technical staff, as well as all individuals who access or use the information technology resources of UNCP. 2. ACCOUNTS 2.1 Accounts are the means by which systems identify users and grant them access to resources. Proper administration of accounts is essential to maintain security and data integrity. User accounts are created using standard procedures and deleted in a timely manner. Access to system resources is provided on an as-needed basis Only authorized users may access university computer systems Faculty, staff and students are assigned accounts upon application Temporary employees may be assigned accounts for the duration of their employment UNCP approved and recognized volunteers may be assigned accounts for the duration of their volunteer involvement Employees of other agencies or vendors are assigned accounts for the duration of their need for the account Retired faculty and staff may apply to retain their account Alumni may retain access to an account that provides access to limited services as approved by university leadership. 1

2 2.1.8 Applications for academic systems do not require additional approval Applications for administrative systems require approval by the supervisor and appropriate data steward or manager Applications for group Web accounts require approval by the appropriate Web Information Coordinator Except as authorized in other policy, an individual user may not use a generic account The chancellor and vice chancellors retain the right, in an emergency, to grant access to data contained in a user account of an employee in their respective division or office. Emergencies may include, but are not limited to, the death or incapacity of an employee. 2.2 Enforcement All accounts assigned to an employee are expired or deleted upon notification from Human Resources that the employee has separated from the university. Accounts may be locked in lieu of prompt deletion. Any supervisor in the employee s reporting structure may request employee s accounts on administrative systems be expired or locked earlier by contacting the Division of Information Technology (DoIT) directly Adjunct faculty accounts are terminated upon notification of the appropriate dean. The academic deans will review accounts for adjunct and part-time faculty each spring and fall semester for continued activation Retired UNCP faculty and staff, upon request, may continue to use their user account to access their university An administrative account assigned to an employee is expired or deleted upon notification to DoIT from the appropriate data steward or manager that the employee no longer requires the account Access privileges on an administrative account are changed upon notification from the appropriate data steward or manager that the employee requires different access privileges Upon notification of an employee transfer by Human Resources, the appropriate data steward or manager shall be contacted to determine the continued need for an administrative account A group Web account assigned to an employee is expired or deleted upon notification from the appropriate Web Information Coordinator that the employee no longer requires the account A student account is retained until the student graduates or has not enrolled for two normal semesters (fall or spring). Access to wireless, classroom, laboratory and residential networks shall be removed during the first normal semester in which the student does not enroll. 2

3 2.2.9 UNCP employees and students gaining access with unauthorized accounts, found compromising account security, or allowing unauthorized access may be subject to disciplinary action which may include dismissal. 2.3 Passwords Passwords shall adhere to the following requirements: a. Consist of a minimum of eight characters; b. Contain at least one character from three of the following four categories: uppercase letters, lowercase letters, digits and symbols; c. Shall not contain more than two consecutive letters from the full name or username; d. Shall not contain dictionary words or abbreviations; and e. Shall not contain dictionary words or abbreviations modified by substituting special characters or digits for letters Passwords shall be changed whenever there is a chance that the password or the system could be compromised, or whenever the password may have been revealed to an un-authorized party Passwords shall not be reused until a minimum of six additional distinct passwords has been used Passwords shall have a minimum age of five (5) days and shall expire every ninety (90) days. Passwords with any degree of system privileges beyond a typical user account on the system shall expire every thirty (30) days Accounts with normal user access shall be automatically locked after five (5) failed authentication attempts. Accounts with any degree of system privileges on enterprise systems shall be automatically locked after three (3) failed authentication attempts Passwords used for accounts with any degree of system privileges shall be different from all other passwords for accounts used by the user Passwords used on university systems shall not be used on external, non-university systems Passwords shall not be stored in web browsers or other applications that provide automated password input Passwords shall not be written down, stored in clear text or transmitted in . 3

4 Passwords for service accounts shall be changed at least every one hundred and eighty (180) days, and may be changed more frequently. Passwords for service accounts shall not be configured to automatically expire. Passwords for service accounts shall be changed promptly following the transfer or separation of any employee with access to the password, or following the end of a project or service engagement in which third parties had access to the password. A Service Account is an account created by system administrators or vendors for automated use by an application, operating system or network device Passwords for visitors, contractors and other third parties shall meet all other requirements of this section. In addition, passwords shall not be disclosed to these parties until such time as they are needed and passwords shall be immediately changed upon completion of access purpose. Accounts for third parties may be retained indefinitely but shall be inactive when not in use Passwords for alumni accounts may be exempt for password reset requirements if those accounts do not provide access to protected or sensitive data. 2.4 Enforcement Systems that have the capability are to warn users within 20 days of password expiration Users with multiple accounts are to use multiple passwords UNCP employees gaining access using another user s account and password, found compromising account security, or allowing unauthorized access may be subject to disciplinary action which may include dismissal in accordance with federal, state and local laws and policies All systems shall implement a means of locking or ending an idle session. Desktops and laptop shall employ password protected screen savers. 2.5 Privileged accounts on administrative systems Privileged accounts on administrative systems have the potential to impact not only the operation of those systems, but also have a major impact on the entire university Where facilities permit, all activity in accounts with system privileges on administrative systems must be monitored Where facilities permit, all activity in accounts with production privileges and access to command procedures or source programs on administrative systems must be monitored Monitoring of accounts must be completed routinely. Logs of monitoring activity must be maintained. 4

5 2.5.5 Where facilities do not permit monitoring as described in and 2.5.3, above, alternative forms of controls must be employed. 3. PHYSICAL SECURITY 3.1 Physical security deals with controls over direct physical access to system components and network devices. Physical security is a key layer of overall security and is the foundation of several other layers. Physical security must be maintained at all times. 3.2 Machine room access and security The machine room(s) store(s) valuable equipment and sensitive data and must be secured at all times Machine room doors are to remain locked at all times Machine room windows are to be screened to prevent access Normal office hours are Monday-Friday, from 8 a.m. to 5 p.m. At all other times, doors to offices adjacent to the machine room(s) are to remain locked Only authorized personnel are permitted access to the machine room(s) DoIT personnel whose duties require routine access to the equipment within the machine room(s) are permitted to retain the combination. A list of these personnel shall be maintained in the Office of the CIO Personnel whose duties require occasional access to the machine room(s) are not permitted access to the combination. These personnel may have access to the machine room(s) only as long as their duties require and must be supervised by DoIT personnel with access to the combination. These personnel include housekeeping, maintenance or other university staff as well as vendor representatives. 3.3 Enforcement Upon the approval of the Chief Information Officer, the Associate Chief Information Officer, the Assistant Chief Information Officer or the Director of Network and System Administration, guests may tour the machine room(s). Guests are to be supervised by DoIT employees with access to the combination at all times Any guest or personnel without access to the combination must sign in and out whenever they enter and leave the machine room Combinations to the machine room doors are changed periodically or whenever any staff member with access to the combination leaves the university s employment or is assigned duties that do not require access to the machine room(s). 5

6 3.3.4 UNCP employees found accessing these rooms without just cause, gaining access without following approved policy and procedure guidelines, compromising room security, or allowing unauthorized access may be subject to disciplinary action which may include dismissal in accordance with federal, state and local laws and policies. 3.4 Network closet access and security Network closets store valuable equipment and allow direct access to network devices. They must be secured at all times Network closet doors are to remain locked at all times Network closet windows are to be screened or barred to prevent access Only authorized personnel are permitted access to network closets DoIT personnel whose duties require access to the equipment within the network closets are permitted to obtain a key. A list of these personnel shall be maintained in the Office of the CIO In those cases where network closets are also used for other purposes, networking equipment is to be secured within a locked cabinet Non-DoIT personnel desiring to gain entry into mechanical rooms that also serve as institutional data closets must check out the door key using normal key checkout procedures within Facilities Management. The person checking out the key must provide their name as well as the date and time the key is checked out. A justification for accessing the room must also be included. This is accomplished through the key sign-out log kept by facilities staff in the work control center While accessing the closet, security of the doors must not be compromised in any manner nor should the door be left open without personal supervision. Unauthorized employees must not be allowed to enter the mechanical/data closet space. The individual checking out the key is accountable for the security of the mechanical/data closet space until the key is returned Non-university personnel cannot be issued a key to any mechanical/data closet. Keys will only be issued to the responsible UNCP employee. The listing of UNCP personnel approved to obtain a key will be kept in the key log in Facilities Management. If the work is contracted, then the contractor is to be supervised by DoIT staff and/or Facilities Management staff during the work. The Facilities Management Director will review the key log file for compliance Upon completion of the necessary access, the person checking out the key must return the closet key and include the date and time of the return. 3.5 Enforcement 6

7 3.5.1 All access to mechanical/data closet by UNCP personnel other than DoIT staff must be recorded as part of Facilities Management s key check-out process. UNCP employees found accessing these rooms without just cause, gaining access without following approved policy and procedure guidelines, compromising room security, or allowing unauthorized access may be subject to disciplinary action which may include dismissal in accordance with federal, state and local laws and policies Upon the approval of the Chief Information Officer, the Associate Chief Information Officer, the Assistant Chief Information Officer or the Director of Network and System Administration, guests may tour a network closet. Guests are to be supervised by DoIT employees. 3.6 Office access and security The offices of DoIT contain a great deal of valuable equipment and sensitive data. The offices must be secured at all times Normal office hours are Monday-Friday, from 8 a.m. to 5 p.m. At all other times, the doors to the offices are to remain locked Only DoIT personnel are allowed keys to the offices Temporary and student workers are not permitted to retain keys to the offices, unless their duties require them to enter after normal office hours Only the Associate Vice Chancellor for Information Resources, the Associate Chief Information Officer, the Assistant Chief Information Officer and the Director of IT Planning and Budget and the university locksmith are permitted master keys to each office. DoIT staff should be aware of any visitors and monitor their actions. 3.7 Operator area access and security The operator area is a place for operators to work containing valuable equipment and sensitive data. It provides access to the machine room and must be secured at all times Normal office hours are Monday-Friday, from 8 a.m. to 5 p.m. At all other times, the doors to the operator s area and adjacent offices are to remain locked All DoIT personnel are permitted access to the operator s area during the normal office hours Other university staff, guests or vendor representatives whose duties require their present in the operator s area are to be supervised by DoIT staff at all times DoIT personnel should be aware of any visitors and monitor their actions. 7

8 3.7.6 DoIT personnel whose duties require access to the machine room are permitted to retain the combination to the operator s area. A list of these personnel is maintained in the Office of the CIO. 3.8 Enforcement UNCP employees found accessing the Operator Area or DoIT offices without just cause or gaining access without following policy guidelines, compromising room security, or allowing unauthorized access may be subject to disciplinary action which may include dismissal in accordance with federal, state and local laws and policies. 4. RETENTION OF FILES FROM EXPIRED OR DELETED ACCOUNTS 4.1 Although a user account may be expired or deleted, data files stored in those accounts may be important to the university. 4.2 Files in individual directories from expired or deleted accounts on administrative systems may be reviewed and copied by the appropriate data steward or manager or by application staff from DoIT. 4.3 The supervisor shall review and retain files on desktops or laptops from expired or deleted accounts, as described in other policy. These files shall be deleted before the desktop or laptop is re-purposed or disposed. 4.4 Files in individual directories on storage systems shall be reviewed and copied by the supervisor as described in other policy. The files shall be deleted after six months. 4.5 Files in individual directories from expired or deleted accounts on academic systems will be kept for six months and then deleted. 4.6 Files in individual directories from expired or deleted accounts on Web systems will be kept for six months and then deleted. 5. DATA RETENTION 5.1 Various federal and state requirements exist that dictate the amount of time for which the university must retain data. It is the responsibility of the employee s former supervisor to ensure that data in an employee s files are retained according to these requirements. 6. ACCESS TO PROGRAMS AND COMMAND PROCEDURES 6.1 Access to programs and command procedures has the potential to make a significant impact on the university. This impact includes risk associated with allowing access to confidential information, trade secrets or other materials under the constraints of a non-disclosure agreement. 8

9 It also includes risk from users or intruders bypassing normal security methods to access or copy confidential information. 6.2 On administrative systems, read access to the source code of programs or command procedures shall be restricted to those administrators or developers whose duties require maintenance or support of the software. 6.3 On Web systems, read access to the source code of programs of command procedures shall be restricted to those administrators or developers whose duties require maintenance or support of the software. 9

New River Community College. Information Technology Policy and Procedure Manual

New River Community College. Information Technology Policy and Procedure Manual New River Community College Information Technology Policy and Procedure Manual 1 Table of Contents Asset Management Policy... 3 Authentication Policy... 4 Breach Notification Policy... 6 Change Management

More information

BERKELEY COLLEGE DATA SECURITY POLICY

BERKELEY COLLEGE DATA SECURITY POLICY BERKELEY COLLEGE DATA SECURITY POLICY BERKELEY COLLEGE DATA SECURITY POLICY TABLE OF CONTENTS Chapter Title Page 1 Introduction 1 2 Definitions 2 3 General Roles and Responsibilities 4 4 Sensitive Data

More information

Information Security Policy

Information Security Policy Information Security Policy Policy Contents I. POLICY STATEMENT II. REASON FOR POLICY III. SCOPE IV. AUDIENCE V. POLICY TEXT VI. PROCEDURES VII. RELATED INFORMATION VIII. DEFINITIONS IX. FREQUENTLY ASKED

More information

Password Expiration Passwords require a maximum expiration age of 60 days. Previously used passwords may not be reused.

Password Expiration Passwords require a maximum expiration age of 60 days. Previously used passwords may not be reused. DRAFT 6.1 Information Systems Passwords OVERVIEW Passwords are an important aspect of information security. They are the front line of protection for user accounts. A poorly chosen password may result

More information

User Accounts and Password Standard and Procedure

User Accounts and Password Standard and Procedure Office of the Vice President for Operations / CIO User Accounts and Password Standard and Procedure Issue Date: January 1, 2011 Information Security Office Effective Date: November 21, 2014 User Account

More information

NETWORK INFRASTRUCTURE USE

NETWORK INFRASTRUCTURE USE NETWORK INFRASTRUCTURE USE Information Technology Responsible Office: Information Security Office http://ooc.usc.edu infosec@usc.edu (213) 743-4900 1.0 Purpose The (USC) provides its faculty, staff and

More information

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date: A SYSTEMS UNDERSTANDING A 1.0 Organization Objective: To ensure that the audit team has a clear understanding of the delineation of responsibilities for system administration and maintenance. A 1.1 Determine

More information

Siena College Password Management Policy

Siena College Password Management Policy Siena College Password Management Policy Updated: 5/29/14 Note: Status: Approved. I. Purpose: The purpose of this policy is to establish a standard for the creation of strong passwords, the protection

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

Information Resources Security Guidelines

Information Resources Security Guidelines Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive

More information

CAPITAL UNIVERSITY PASSWORD POLICY

CAPITAL UNIVERSITY PASSWORD POLICY 1.0 Overview Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of Capital University's

More information

Network Service Policy

Network Service Policy Network Service Policy TABLE OF CONTENTS PURPOSE... 3 SCOPE... 3 AUDIENCE... 3 COMPLIANCE & ENFORCEMENT... 3 POLICY STATEMENTS... 4 1. General... 4 2. Administrative Standards... 4 3. Network Use... 5

More information

FAYETTEVILLE STATE UNIVERSITY POLICY ON INFORMATION SECURITY

FAYETTEVILLE STATE UNIVERSITY POLICY ON INFORMATION SECURITY FAYETTEVILLE STATE UNIVERSITY POLICY ON INFORMATION SECURITY Authority: Category: Applies to: Chancellor, Fayetteville State University University-wide Faculty, Staff, and Students History: Approved on

More information

Secure Email Portal. A Step-by-Step Guide for Using KRS ZixCorp Secure Email Solution

Secure Email Portal. A Step-by-Step Guide for Using KRS ZixCorp Secure Email Solution Secure Email Portal User Manual A Step-by-Step Guide for Using KRS ZixCorp Secure Email Solution This manual can be found online at https://kyret.ky.gov in the Agency Employers Employer Publications section.

More information

RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology

RUTGERS POLICY. Section Title: Legacy UMDNJ policies associated with Information Technology RUTGERS POLICY Section: 70.2.22 Section Title: Legacy UMDNJ policies associated with Information Technology Policy Name: Information Security: Electronic Information and Information Systems Access Control

More information

POLICY. Number: 7311-25-003 Title: Password Policy

POLICY. Number: 7311-25-003 Title: Password Policy POLICY Number: 7311-25-003 Title: Password Policy Authorization [ ] President and CEO [X] Vice President, Finance and Corporate Services Source: Director, Information Technology Services Cross Index: 7311-25-002,

More information

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Information Security Policy and Handbook Overview. ITSS Information Security June 2015 Information Security Policy and Handbook Overview ITSS Information Security June 2015 Information Security Policy Control Hierarchy System and Campus Information Security Policies UNT System Information

More information

OIT User ID & Account Policy Explanation of Policy & Process Flows

OIT User ID & Account Policy Explanation of Policy & Process Flows . OIT User ID & Account Policy Explanation of Policy & Process Flows Doc #: N/A, Released v1.1 Office of Information Technology This document contains Seattle University Use Only information of Seattle

More information

DHHS Information Technology (IT) Access Control Standard

DHHS Information Technology (IT) Access Control Standard DHHS Information Technology (IT) Access Control Standard Issue Date: October 1, 2013 Effective Date: October 1,2013 Revised Date: Number: DHHS-2013-001-B 1.0 Purpose and Objectives With the diversity of

More information

How Do I Status My Vendor-Owned Resources in ROSS?

How Do I Status My Vendor-Owned Resources in ROSS? Page: 1 How Do I Status My Vendor-Owned Resources in ROSS? What do I need to do? How do I do that? 1. Request a new vendor user account Page 2. - Access the NAP environment at https://nap.nwcg.gov/nap/

More information

Policy #: HEN-005 Effective Date: April 4, 2012 Program: Hawai i HIE Revision Date: July 17, 2013 Approved By: Hawai i HIE Board of Directors

Policy #: HEN-005 Effective Date: April 4, 2012 Program: Hawai i HIE Revision Date: July 17, 2013 Approved By: Hawai i HIE Board of Directors TITLE: Access Management Policy #: Effective Date: April 4, 2012 Program: Hawai i HIE Revision Date: July 17, 2013 Approved By: Hawai i HIE Board of Directors Purpose The purpose of this policy is to describe

More information

Procedure Manual. Number: A6Hx2-8.01a. Title: College Network and Software Usage by Employees. Policy Number: 6Hx2-8.01 1 of 21

Procedure Manual. Number: A6Hx2-8.01a. Title: College Network and Software Usage by Employees. Policy Number: 6Hx2-8.01 1 of 21 Policy 6Hx2-8.01 1 of 21 Broward College provides all of its employees with College Network and Internet access so that they can obtain up-to-date information useful to them for the performance of their

More information

CONNECTICUT RIVER WATERSHED COUNCIL, INC. DOCUMENT MANAGEMENT & WRITTEN INFORMATION SECURITY POLICY

CONNECTICUT RIVER WATERSHED COUNCIL, INC. DOCUMENT MANAGEMENT & WRITTEN INFORMATION SECURITY POLICY CONNECTICUT RIVER WATERSHED COUNCIL, INC. DOCUMENT MANAGEMENT & WRITTEN INFORMATION SECURITY POLICY The Council s document management policy is intended to cover all documents produced and held by the

More information

Musina Local Municipality. Information and Communication Technology User Account Management Policy -Draft-

Musina Local Municipality. Information and Communication Technology User Account Management Policy -Draft- Musina Local Municipality Information and Communication Technology User Account Management Policy -Draft- Version Control Version Date Author(s) Details V1.0 June2013 Perry Eccleston Draft Policy Page

More information

Information Security Operational Procedures Banner Student Information System Security Policy

Information Security Operational Procedures Banner Student Information System Security Policy Policy No: 803 Area: Information Technology Services Adopted: 8/6/2012 Information Security Operational Procedures Banner Student Information System Security Policy INTRODUCTION This document provides

More information

UNIVERSITY OF ROCHESTER INFORMATION TECHNOLOGY POLICY

UNIVERSITY OF ROCHESTER INFORMATION TECHNOLOGY POLICY PURPOSE The University of Rochester recognizes the vital role information technology plays in the University s missions and related administrative activities as well as the importance in an academic environment

More information

ICT USER ACCOUNT MANAGEMENT POLICY

ICT USER ACCOUNT MANAGEMENT POLICY ICT USER ACCOUNT MANAGEMENT POLICY Version Control Version Date Author(s) Details 1.1 23/03/2015 Yaw New Policy ICT User Account Management Policy 2 Contents 1. Preamble... 4 2. Terms and definitions...

More information

Information Technology Account Management Policy

Information Technology Account Management Policy I. PURPOSE Information Technology Account Management Policy Responsible Department: Information Technology Responsible Administrator: Kay Reeves, Executive Director for Information Technology Effective

More information

Please note this policy is mandatory and staff are required to adhere to the content

Please note this policy is mandatory and staff are required to adhere to the content Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the

More information

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL AU7087_C013.fm Page 173 Friday, April 28, 2006 9:45 AM 13 Access Control The Access Control clause is the second largest clause, containing 25 controls and 7 control objectives. This clause contains critical

More information

INFORMATION TECHNOLOGY SECURITY POLICY COUNTY OF IMPERIAL

INFORMATION TECHNOLOGY SECURITY POLICY COUNTY OF IMPERIAL INFORMATION TECHNOLOGY SECURITY POLICY COUNTY OF IMPERIAL 1 INTRODUCTION The County of Imperial Information & Technical Services (ITS) Security Policy is the foundation of the County's electronic information

More information

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course Rules of Behavior Before you print your certificate of completion, please read the following Rules of Behavior

More information

ICT Password Protection Policy

ICT Password Protection Policy SH IG 30 Information Security Suite of Policies ICT Summary: Keywords (minimum of 5): (To assist policy search engine) Target Audience: Next Review Date: This document describes the information security

More information

ASCINSURE SPECIALTY RISK PRIVACY/SECURITY PLAN July 15, 2010

ASCINSURE SPECIALTY RISK PRIVACY/SECURITY PLAN July 15, 2010 ASCINSURE SPECIALTY RISK PRIVACY/SECURITY PLAN July 15, 2010 OBJECTIVE This Security Plan (the Plan ) is intended to create effective administrative, technical and physical safeguards for the protection

More information

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10) MIT s Information Security Program for Protecting Personal Information Requiring Notification (Revision date: 2/26/10) Table of Contents 1. Program Summary... 3 2. Definitions... 4 2.1 Identity Theft...

More information

Audit and Management Advisory Services Computer Environment Internal Control Questionnaire

Audit and Management Advisory Services Computer Environment Internal Control Questionnaire Audit and Management Advisory Services Computer Environment Internal Control Questionnaire Date: Completed By: Name: Department: Position: Phone: Email Address: Section 1: Security Education and Awareness

More information

Information Systems Security Policy

Information Systems Security Policy Information Systems Security Policy Northeast Alabama Community College Center for Information Assurance Northeast Alabama Community College 138 AL Hwy 35, Rainsville, AL 35986 (256) 228-6001 1 5/22/2014

More information

ADMINISTRATIVE DATA MANAGEMENT AND ACCESS POLICY

ADMINISTRATIVE DATA MANAGEMENT AND ACCESS POLICY ADMINISTRATIVE DATA MANAGEMENT AND ACCESS POLICY PURPOSE The value of data as an institutional resource is increased through its widespread and appropriate use; its value is diminished through misuse,

More information

Account Management Standards

Account Management Standards Account Management Standards Overview These standards are intended to guide the establishment of effective account management procedures that promote the security and integrity of University information

More information

Document No.: VCSATSP 100-100 Restricted Data Access Policy Revision: 4.0. VCSATS Policy Number: VCSATSP 100-100 Restricted Data Access Policy

Document No.: VCSATSP 100-100 Restricted Data Access Policy Revision: 4.0. VCSATS Policy Number: VCSATSP 100-100 Restricted Data Access Policy DOCUMENT INFORMATION VCSATS Policy Number: VCSATSP 100-100 Title: Restricted Data Access Policy Policy Owner: Director Technology Services Effective Date: 2/1/2014 Revision: 4.0 TABLE OF CONTENTS DOCUMENT

More information

Virtual Code Authentication User s Guide. June 25, 2015

Virtual Code Authentication User s Guide. June 25, 2015 Virtual Code Authentication User s Guide June 25, 2015 Virtual Code Authentication User s Guide Overview of New Security Modern technologies call for higher security standards as practiced among many other

More information

Network Security Policy

Network Security Policy Network Security Policy Policy Contents I. POLICY STATEMENT II. REASON FOR POLICY III. SCOPE IV. AUDIENCE V. POLICY TEXT VI. PROCEDURES VII. RELATED INFORMATION VIII. DEFINITIONS IX. FREQUENTLY ASKED QUESTIONS

More information

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution. Written Information Security Plan (WISP) for HR Knowledge, Inc. This document has been approved for general distribution. Last modified January 01, 2014 Written Information Security Policy (WISP) for HR

More information

Chronic Disease Management

Chronic Disease Management RESOURCE AND PATIENT MANAGEMENT SYSTEM Chronic Disease Management (BCDM) Version 1.0 Office of Information Technology (OIT) Division of Information Resource Management Albuquerque, New Mexico Table of

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

Cyber Self Assessment

Cyber Self Assessment Cyber Self Assessment According to Protecting Personal Information A Guide for Business 1 a sound data security plan is built on five key principles: 1. Take stock. Know what personal information you have

More information

CREDIT CARD SECURITY POLICY PCI DSS 2.0

CREDIT CARD SECURITY POLICY PCI DSS 2.0 Responsible University Official: University Compliance Officer Responsible Office: Business Office Reviewed Date: 10/29/2012 CREDIT CARD SECURITY POLICY PCI DSS 2.0 Introduction and Scope Introduction

More information

Hamilton College Administrative Information Systems Security Policy and Procedures. Approved by the IT Committee (December 2004)

Hamilton College Administrative Information Systems Security Policy and Procedures. Approved by the IT Committee (December 2004) Hamilton College Administrative Information Systems Security Policy and Procedures Approved by the IT Committee (December 2004) Table of Contents Summary... 3 Overview... 4 Definition of Administrative

More information

Tenth Judicial Circuit of Florida Information Systems Acceptable Use Guidelines Polk, Hardee and Highlands Counties as of January 2014

Tenth Judicial Circuit of Florida Information Systems Acceptable Use Guidelines Polk, Hardee and Highlands Counties as of January 2014 Tenth Judicial Circuit of Florida Information Systems Acceptable Use s Polk, Hardee and Highlands Counties as of January 2014 The following guidelines define the acceptable use of information technology

More information

Department of Information Technology

Department of Information Technology Department of Information Technology ISSUE DATE: 6/3/08 EFFECTIVE DATE: 9/1/08 Facilities TITLE: Physical Access Control for DoIT POLICY NUMBER: DOIT-773-3102-001-A REVISED DATE: NEXT REVIEW DATE: 9/1/09

More information

State of Vermont. User Password Policy and Guidelines

State of Vermont. User Password Policy and Guidelines State of Vermont User Password Policy and Guidelines Date of Rewrite Approval: 10/2009 Originally Approved: 4/08/2005 Approved by: Neale F. Lunderville Policy Number: fib lleul~ 1.0 Introduction... 3 1.1

More information

M E M O R A N D U M. Revised Information Technology Security Procedures INFORMATION TECHNOLOGY SECURITY PROCEDURES. I. General

M E M O R A N D U M. Revised Information Technology Security Procedures INFORMATION TECHNOLOGY SECURITY PROCEDURES. I. General M E M O R A N D U M To: From: IT Steering Committee Brian Cohen Date: March 26, 2009 Subject: Revised Information Technology Security Procedures The following is a revised version of the Information Technology

More information

DEPARTMENT OF MENTAL HEALTH POLICY/PROCEDURE

DEPARTMENT OF MENTAL HEALTH POLICY/PROCEDURE 2 of 10 2.5 Failure to comply with this policy, in whole or in part, if grounds for disciplinary actions, up to and including discharge. ADMINISTRATIVE CONTROL 3.1 The CIO Bureau s Information Technology

More information

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP) 201 CMR 17.00 Standards for the Protection of Personal Information Of Residents of the Commonwealth of Massachusetts Revised April 28,

More information

State of Vermont. System/Service Password Policy. Date: 10/2009 Approved by: Neale F. Lunderville Policy Number:

State of Vermont. System/Service Password Policy. Date: 10/2009 Approved by: Neale F. Lunderville Policy Number: State of Vermont System/Service Password Policy Date: 10/2009 Approved by: Neale F. Lunderville Policy Number: Contents Contents 1.0 Introduction... 3 1.1 Authority... 3 1.2 Purpose... 3 1.3 Scope... 3

More information

Network Password Management Policy & Procedures

Network Password Management Policy & Procedures Network Password Management Policy & Procedures Document Ref ISO 27001 Section 11 Issue No Version 1.3 Document Control Information Issue Date April 2009, June 2010, September 2011 Status Approved By FINAL

More information

Contact: Henry Torres, (870) 972-3033

Contact: Henry Torres, (870) 972-3033 Information & Technology Services Management & Security Principles & Procedures Executive Summary Contact: Henry Torres, (870) 972-3033 Background: The Security Task Force began a review of all procedures

More information

IT ACCESS CONTROL AND USER ACCESS MANAGEMENT POLICY

IT ACCESS CONTROL AND USER ACCESS MANAGEMENT POLICY IT ACCESS CONTROL AND USER Effective Date May 20, 2016 Cross-Reference 1. Contract Management Policy Responsibility Director, Information 2. IT Password Policy Technology 3. Record Classification and Handling

More information

Authentication Credentials Complexity Standard

Authentication Credentials Complexity Standard Authentication Credentials Complexity Standard Table of Contents Revisions... 2 Overview... 3 Risk Levels... 3 Risk Level 1... 3 Risk Level 2... 3 Risk Level 3... 3 Risk Level 4... 3 Standards for Credentials

More information

IT Security Procedure

IT Security Procedure IT Security Procedure 1. Purpose This Procedure outlines the process for appropriate security measures throughout the West Coast District Health Board (WCDHB) Information Systems. 2. Application This Procedure

More information

Franciscan University of Steubenville Information Security Policy

Franciscan University of Steubenville Information Security Policy Franciscan University of Steubenville Information Security Policy Scope This policy is intended for use by all personnel, contractors, and third parties assisting in the direct implementation, support,

More information

Guideline on Access Control

Guideline on Access Control CMSGu2011-08 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Access Control National Computer Board Mauritius Version 1.0

More information

Supplier Information Security Addendum for GE Restricted Data

Supplier Information Security Addendum for GE Restricted Data Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing,

More information

Identity Theft Prevention Program Compliance Model

Identity Theft Prevention Program Compliance Model September 29, 2008 State Rural Water Association Identity Theft Prevention Program Compliance Model Contact your State Rural Water Association www.nrwa.org Ed Thomas, Senior Environmental Engineer All

More information

TOURO UNIVERSITY WORLDWIDE AND TOURO COLLEGE LOS ANGELES IDENTITY THEFT PREVENTION POLICY 1.0 POLICY/PROCEDURE 2.0 PURPOSE 3.0 SCOPE 4.

TOURO UNIVERSITY WORLDWIDE AND TOURO COLLEGE LOS ANGELES IDENTITY THEFT PREVENTION POLICY 1.0 POLICY/PROCEDURE 2.0 PURPOSE 3.0 SCOPE 4. TOURO UNIVERSITY WORLDWIDE AND TOURO COLLEGE LOS ANGELES IDENTITY THEFT PREVENTION POLICY 1.0 POLICY/PROCEDURE Touro adopts this identity theft policy to help protect employees, students, contractors and

More information

AUBURN WATER SYSTEM. Identity Theft Prevention Program. Effective October 20, 2008

AUBURN WATER SYSTEM. Identity Theft Prevention Program. Effective October 20, 2008 AUBURN WATER SYSTEM Identity Theft Prevention Program Effective October 20, 2008 I. PROGRAM ADOPTION Auburn Water System developed this Identity Theft Prevention Program ("Program") pursuant to the Federal

More information

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy ) Background Due to increased threat of identity theft, fraudulent credit card activity and other instances where cardholder

More information

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline 5.23.1.10 Payment Card Industry Technical Requirements

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline 5.23.1.10 Payment Card Industry Technical Requirements Minnesota State Colleges and Universities System Procedures Chapter 5 Administration Payment Card Industry Technical s Part 1. Purpose. This guideline emphasizes many of the minimum technical requirements

More information

HAVERFORD COLLEGE IITS: POLICY AND PLANNING

HAVERFORD COLLEGE IITS: POLICY AND PLANNING Contents: 1. Preface 2. Policy 3. Audit and Compliance Section 1. Preface A. Name. The formal name of this policy is the Policy. B. Status of This Policy 1. Draft. Completed 4/11/2013 2. Public Review

More information

Montclair State University. HIPAA Security Policy

Montclair State University. HIPAA Security Policy Montclair State University HIPAA Security Policy Effective: June 25, 2015 HIPAA Security Policy and Procedures Montclair State University is a hybrid entity and has designated Healthcare Components that

More information

Application Security Policy

Application Security Policy Purpose This document establishes the corporate policy and standards for ensuring that applications developed or purchased at LandStar Title Agency, Inc meet a minimum acceptable level of security. Policy

More information

STUDENT RECORD POLICY, PROCEDURES AND DEFINITIONS

STUDENT RECORD POLICY, PROCEDURES AND DEFINITIONS STUDENT RECORD POLICY, PROCEDURES AND DEFINITIONS PURPOSE The purpose of establishing this policy is to ensure Virginia Union University s compliance with the Family Educational Rights and Privacy Act

More information

Controls for the Credit Card Environment Edit Date: May 17, 2007

Controls for the Credit Card Environment Edit Date: May 17, 2007 Controls for the Credit Card Environment Edit Date: May 17, 2007 Status: Approved in concept by Executive Staff 5/15/07 This document contains policies, standards, and procedures for securing all credit

More information

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

Name: Position held: Company Name: Is your organisation ISO27001 accredited: Third Party Information Security Questionnaire This questionnaire is to be completed by the system administrator and by the third party hosting company if a separate company is used. Name: Position held:

More information

UT Martin Password Policy May 2015

UT Martin Password Policy May 2015 UT Martin Password Policy May 2015 SCOPE The scope of this policy is applicable to all Information Technology (IT) resources owned or operated by the University of Tennessee at Martin. Any information

More information

HIPAA Information Security Overview

HIPAA Information Security Overview HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is

More information

8.1.6 POLICY ON KEYS AND OTHER BUILDING ACCESS DEVICES. Policy Statement COLLEGE OF CHARLESTON POLICY ON

8.1.6 POLICY ON KEYS AND OTHER BUILDING ACCESS DEVICES. Policy Statement COLLEGE OF CHARLESTON POLICY ON OFFICIAL POLICY 8.1.6 POLICY ON KEYS AND OTHER BUILDING ACCESS DEVICES 03/21/11 Policy Statement COLLEGE OF CHARLESTON POLICY ON KEYS AND OTHER BUILDING ACCESS DEVICES 1.0 PURPOSE OF POLICY The purpose

More information

NORTH CAROLINA AGRICULTURAL AND TECHNICAL STATE UNIVERSITY

NORTH CAROLINA AGRICULTURAL AND TECHNICAL STATE UNIVERSITY Student Email Use page 1 NORTH CAROLINA AGRICULTURAL AND TECHNICAL STATE UNIVERSITY SEC. VII E-MAIL 3.0 STUDENT EMAIL USE University Policy I. Scope The purpose of this policy is to ensure the proper use

More information

Responsible Use of Technology and Information Resources

Responsible Use of Technology and Information Resources Responsible Use of Technology and Information Resources Introduction: The policies and guidelines outlined in this document apply to the entire Wagner College community: students, faculty, staff, alumni

More information

PASSWORD MANAGEMENT POLICY OCIO-6012-09 TABLE OF CONTENTS

PASSWORD MANAGEMENT POLICY OCIO-6012-09 TABLE OF CONTENTS OFFICE OF THE CHIEF INFORMATION OFFICER PASSWORD MANAGEMENT POLICY OCIO-6012-09 Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: TABLE OF CONTENTS Section I. PURPOSE II. AUTHORITY

More information

DRAFT National Rural Water Association Identity Theft Program Model September 22, 2008

DRAFT National Rural Water Association Identity Theft Program Model September 22, 2008 DRAFT National Rural Water Association Identity Theft Program Model September 22, 2008 This model has been designed to help water and wastewater utilities comply with the Federal Trade Commission s (FTC)

More information

SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices

SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices 8-27-2015 4-007.1 Supersedes 4-007 Page Of 1 5 Responsible Authority Vice Provost for Information

More information

AUBnet (email) Accounts Policies

AUBnet (email) Accounts Policies (email) s Policies Reference: CNS-P-Acct Revision: B Supersedes: Purpose: Source: CNS-P-EMAIL-A This policy and related policies provide the framework in which all accounts and email and intranet are provided

More information

HIPAA 101: Privacy and Security Basics

HIPAA 101: Privacy and Security Basics HIPAA 101: Privacy and Security Basics Purpose This document provides important information about Kaiser Permanente policies and state and federal laws for protecting the privacy and security of individually

More information

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY Page 1 of 6 Summary The Payment Card Industry Data Security Standard (PCI DSS), a set of comprehensive requirements for enhancing payment account

More information

This policy applies to all DRC employees, contractors, volunteers, interns and other agents of the state.

This policy applies to all DRC employees, contractors, volunteers, interns and other agents of the state. STATE OF OHIO SUBJECT: PAGE 1 OF 9 DRC Sensitive Data Security Requirements NUMBER: 05-OIT-23 DEPARTMENT OF REHABILITATION AND CORRECTION RULE/CODE REFERENCE: RELATED ACA STANDARDS: SUPERSEDES: 05-OIT-23

More information

Vulnerability Management Policy

Vulnerability Management Policy Vulnerability Management Policy Policy Statement Computing devices storing the University s Sensitive Information (as defined below) or Mission-Critical computing devices (as defined below) must be fully

More information

CITRUS COMMUNITY COLLEGE DISTRICT GENERAL INSTITUTION COMPUTER AND NETWORK ACCOUNT AND PASSWORD MANAGEMENT

CITRUS COMMUNITY COLLEGE DISTRICT GENERAL INSTITUTION COMPUTER AND NETWORK ACCOUNT AND PASSWORD MANAGEMENT CITRUS COMMUNITY COLLEGE DISTRICT GENERAL INSTITUTION AP 3721 COMPUTER AND NETWORK ACCOUNT AND PASSWORD MANAGEMENT 1.0 Purpose The purpose of this procedure is to establish a standard for the administration

More information

Introduction. PCI DSS Overview

Introduction. PCI DSS Overview Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,

More information

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL for INFORMATION RESOURCES Updated: June 2007 Information Resources Security Manual 1. Purpose of Security Manual 2. Audience 3. Acceptable

More information

Virginia Commonwealth University School of Medicine Information Security Standard

Virginia Commonwealth University School of Medicine Information Security Standard Virginia Commonwealth University School of Medicine Information Security Standard Title: Scope: Data Handling and Storage Standard This standard is applicable to all VCU School of Medicine personnel. Approval

More information

Network Protection and Information Security Policy

Network Protection and Information Security Policy Network Protection and Information Security Policy Purpose... 1 Scope... 1 Policy... 1 Responsibilities... 1 System Access Control... 2 System Privileges... 4 Establishment Of Access Paths... 6 Computer

More information

Walton Centre. Document History Date Version Author Changes 01/10/04 1.0 A Cobain L Wyatt 31/03/05 1.1 L Wyatt Update to procedure

Walton Centre. Document History Date Version Author Changes 01/10/04 1.0 A Cobain L Wyatt 31/03/05 1.1 L Wyatt Update to procedure Page 1 Walton Centre Access and Authentication (network) Document History Date Version Author Changes 01/10/04 1.0 A Cobain L Wyatt 31/03/05 1.1 L Wyatt Update to procedure Page 2 Table of Contents Section

More information

HELPFUL TIPS: MOBILE DEVICE SECURITY

HELPFUL TIPS: MOBILE DEVICE SECURITY HELPFUL TIPS: MOBILE DEVICE SECURITY Privacy tips for Public Bodies/Trustees using mobile devices This document is intended to provide general advice to organizations on how to protect personal information

More information

NASDAQ Web Security Entitlement Installation Guide November 13, 2007

NASDAQ Web Security Entitlement Installation Guide November 13, 2007 November 13, 2007 Table of Contents: Copyright 2006, The Nasdaq Stock Market, Inc. All rights reserved.... 2 Chapter 1 - Entitlement Overview... 3 Hardware/Software Requirements...3 NASDAQ Workstation...3

More information

Information Security Policy

Information Security Policy Information Security Policy Touro College/University ( Touro ) is committed to information security. Information security is defined as protection of data, applications, networks, and computer systems

More information

Retention & Destruction

Retention & Destruction Last Updated: March 28, 2014 This document sets forth the security policies and procedures for WealthEngine, Inc. ( WealthEngine or the Company ). A. Retention & Destruction Retention & Destruction of

More information

Information Security Operational Procedures

Information Security Operational Procedures College Of Coastal Georgia Information Security Operational Procedures Banner Student Information System Security Policy INTRODUCTION This document provides a general framework of the policy utilized by

More information

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index

Section 5 Identify Theft Red Flags and Address Discrepancy Procedures Index Index Section 5.1 Purpose.... 2 Section 5.2 Definitions........2 Section 5.3 Validation Information.....2 Section 5.4 Procedures for Opening New Accounts....3 Section 5.5 Procedures for Existing Accounts...

More information

Rules of the Road for Users of Smithsonian Computers and Networks

Rules of the Road for Users of Smithsonian Computers and Networks Rules of the Road for Users of Smithsonian Computers and Networks Introduction Smithsonian systems, networks and other computer resources are shared among Smithsonian employees, interns, visiting scholars,

More information